Biggest source of DOD’s cyber threats: inept co-workers

By Kevin McCaney

Mar 28, 2014

Defense Department IT professionals are nearly as concerned about internal threats as they are external hacking of their networks — and most concerned about careless or poorly trained insiders as a source of threats, according to a recent survey by SolarWinds, an IT management software provider.

In the survey, which addressed cybersecurity threats and preparedness across the federal government, 41 percent of DOD respondents named insider data leakage/theft as a threat, not far below the 48 percent who identified external hacking.

And although those responses may have come with the disclosures of Edward Snowden and Chelsea Manning in mind, it seems inept co-workers, rather than intentional leakers, are the biggest concern. Fifty-three percent of DOD respondents cited careless/untrained insiders as a source of security threats, more than foreign governments (48 percent), terrorists (31 percent) or the general hacking community (35 percent). Malicious insiders weren’t left out, however, being cited by 26 percent of respondents.

SolarWinds conducted the online survey earlier this year of 200 IT and IT security professionals in the federal government, 40 percent of whom worked in the military. The results showed a lot of similarities in the concerns of civilian and military agencies, as well as some notable differences.

Overall, the respondents were pretty confident in their IT defenses, with 94 percent rating their cybersecurity readiness as good or excellent (though more good, at 50 percent, than excellent, at 44 percent).

External hacking was the most commonly cited threat in the overall survey, being named by 50 percent of the respondents, followed by malware (46 percent), social engineering (37 percent) and spam (36 percent), with similar results coming from civilian and Defense agencies.

Differences cropped up in a few areas, though. Only 21 percent of civilian respondents cited insider data leakage/theft as a threat, compared with DOD’s 41 percent. And twice as many civilian respondents (25 percent to 12 percent) named mobile device theft as a threat, perhaps reflecting the fact that DOD has to date eschewed BYOD. DOD respondents also were more concerned than their civilian counterparts about physical security attacks, 25 percent to 13 percent.

As for the sources of those threats, civilian responses differed in some areas from those from the military concerns listed above. The biggest threat sources for civilian agencies: general hacking community (55 percent), careless/untrained insiders (35 percent), hacktivists (27 percent), foreign governments (24 percent), and terrorists and for-profit crime (both at 13 percent). Only 6 percent of military respondents were worried about for-profit crime.

And although respondents said their cyber readiness was in good shape, they did see some barriers to maintaining or improving security, namely budget constraints (cited by 40 percent of respondents overall), internal challenges such as competing priorities (19 percent) and complex internal environments (14 percent).

Those same issues showed up when respondents were asked about what gets in the way of implementing appropriate IT security tools, led by lack of budget (63 percent) and “turf battles (42 percent).